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SSH Communications Security's SSH ISAKMP/Oakley Enables Internet Key 
Exchange 

(IKE) Functionality in Xedia (R) Corporation's Access Point (TM) 
QVPN (TM) Products 

ESPOO, Finland, Jan. 8 /PRNewswire/ -- Xedia ' s Access Point QVPN is 
the industry's first Internet access platform to integrate high performance 
IP routing, Class-Based Queuing bandwidth management, VPN security and 
traffic measurement services in a single platform designed to enable 
network providers to deliver secure, business-quality Internet services. 

The SSH ISAKMP/Oakley (SSH IKE) is a key security feature of Xedia ■ s 
Access Point QVPN products. SSH ISAKMP/Oakley provides Access Point QVPN 
with key components to enable the most secure, interoperable and complete 
IPSec solution in the market . 

SSH ISAKMP/Oakley is a tailor made toolkit for adding automatic key 
management and authentication into IPSec based networking devices. It 
supports the Internet Key Exchange (IKE) which automatically authenticates 
the Access Point QVPN and clients connecting to it. It also negotiates 
the security policy and encryption keys in a secure manner. SSH 
ISAKMP/Oakley makes authentication secure, easy and hassle- free by 
supporting Public Key Infrastructure integration with X.509 digital 
certificates and by interoperating with the major Certificate Authority 
(CA) vendors. 

IPSec (Internet Protocol Security) and IKE (Internet Key Exchange) 
are Internet Engineering Task Force (IETF) standards for protecting IP 
traffic using cryptography on the packet level. They are totally 
transparent to the user making an ideal way of creating a company's virtual 
private network. IPSec technology marks the transition from early tunneling 
to fully- fledged Internet VPN services. 

About SSH Communications Security 

SSH Communications Security Ltd. is an international software company 
specialized in demanding network security solutions. SSH provides 
cutting-edge, military strength cryptographic solutions for securing 
internet communications. The company's ssh (Secure Shell) application has 
become the de facto standard for secure logins, and is being used by 
hundreds of thousands of people in more than 50 countries. SSH IPSEC 
Express toolkit is the market leader in providing IPSEC (Internet Protocol 
Security) and IKE (Internet Key Exchange) technology to OEM customers. For 
more information, please see http://www.ipsec.com on the Internet. 

About Xedia Corporation 

Xedia Corporation, a privately-held, venture-backed corporation is 
leading the way with a new class of Internet access platform delivering the 
performance, security, and service level control network providers need to 
deliver the next generation of business class Internet services. Xedia 1 s 
Access Point products have been Internet -certified by the industry leading 
Internet providers, including UUNET, PSINet and Sprint, and they are now 
being deployed in the most demanding business Internet services in the 
industry. The company is headquartered in Littleton, MA and can be reached 
at (978)952-6000. The Xedia Web site can be found at http://www.xedia.com. 

Xedia is a registered trademark and Access Point and QVPN are 
trademarks of Xedia Corporation. All other brands and product names may be 
trademarks or registered trademarks of their respective owners. 
COPYRIGHT 1999 Gale Group 
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TEXT : 

Cellular fraud costs the industry more than USS I billion a year 
worldwide. And at 50% per annum, it's growing three times faster than 
cellular operators' profits. In the second part of our special report on 
telecomms fraud, Stewart Wittering, Guy Daniels and Martyn Warwick cross 
their fingers and key in their PINs 

Make no mistake, fraud is big, big, business. In pre-cellular days, 
operator's losses were comparatively small, but the 1990s mobile boom 
presented fraudsters with a golden opportunity to make some big bucks - and 
they took it . 

Think on this, during 1993, one European cellular operator lost 40% of 
its call revenues to fraudsters. However, large though these losses were 
they pale into insignificance when set against today's figures - which are 
widely accepted as being well in excess of $1 billion a year. 

An endless war of attrition 

In 1992, UK losses due to handset clomng were put at about $1.5 
million, (with a further $750,000 attributed to fraudulent applications). 
By 1995, it was estimated that one call in six was fraudulent and was 
costing the UK industry about $75 million a year. 

One particular user personally ran up a bill for $23,000 worth of 
international calls within two days. Now that takes determination, 
dedication and a goodly supply of throat lozenges. 

According to the Federation of Communications Services (FCS) , during 
the current year the industry loss due to cloning, stolen airtime and 
stolen handsets will rise to $225 million. The cost to the consumer is not 
known, : but they are the ones who pay in the end. 

Massive financial and human resources have been devoted to combating 
and reducing cellular fraud. However, recent experience indicates that, no 
matter how sophisticated the new anti-fraud measures and technologies may 
become, swindlers will always find a way round them. Operators have to be 
constantly aware of the types of fraud being committed and must devise the 
best possible means of countering their effects. Failure to do so results 
in loss of public confidence in the industry in general and increases churn 
in individual service operations in particular. 

The nature of the beast determines that detection rates and 
legislative sanctions will always lag behind changing fraud patterns, but 
governments are now fully awake to the seriousness of the situation and are 
doing something about it . 

Tough on the causes of crime 

In the UK, a new Telecommunications (Fraud) Act has come into force 
and gives the police real power: telephone doners and those who 
fraudulently access airtime now face a prison sentence of up to five years. 

That the police mean business was demonstrated at a recent trial in 
the UK city of Northampton. Two men were sentenced to two years in prison 
for providing new identities for a relatively small number of stolen 
phones. There is every probability, and every reason why, other European 
operators will follow the UK's tough line. 

Perhaps the most difficult type of cellular fraud to detect is handset 
cloning. This involves the complete duplication of a legitimate terminal, 
including the mobile identification number (MIN) , electronic serial number 
(ESN), and, in some cases, the subscriber's personal identification number 
(PIN) . Cellular switches cannot readily distinguish between legitimate 
terminals and clones which successfully bypass pre-call validation checks. 



Best of all, from the fraudster's perspective, the bill for the calls is 
passed on to the owner of the original handset. 

Most clones continue to use the same MIN and ESN combination until 
denied service by the operator. Some sophisticated clones, however, use 
different combinations, producing 'tumbling' phones which avoid triggering 
alarms and early detection. Tumbling works by setting up the MIN and ESN to 
step-on in value each time a call is made. This creates the illusion that 
each successive call is made by a different caller. 

The most common ways of obtaining MIN and ESN information is by theft 
of subscriber data from the offices of the operator, or by the use of a 
frequency scanner to intercept the data transmitted over the radio channel 
each time a call is made or received, or whenever the mobile terminal 
registers with the mobile switching centre (MSC) . 

Another way of obtaining the MIN and ESN is to set up a fake base 
station and antenna close to mobile terminals, which send their MIN-ESN 
combinations across the ether along with other, often highly confidential, 
information . 

Sometimes the detection of cloning is made even more difficult by 
roaming fraud - when valid MIN and ESN combinations are stolen in one 
cellular area and used in another. In 1996 in the US, one call -sell 
operation exposed a mobile operator to more then $1 million worth of 
roaming charges in three days . 

Furthermore, bills of as little as $100, if challenged and publicised, 
can lead to a loss of commercial confidence in an operator. That's why so 
many keep quiet about the extent to which they are defrauded and write-off 
the losses. 

Cloned phones are also frequently used to run call-sell operations. In 
Europe, one sting involved the cloning of dozens of analogue phones, while 
taking out one GSM account in a false name. The cloned phones were then 
used to sell international call capacity. Although they were barred from 
making international calls, the cloned phones were used to call the GSM 
phone, which then rerouted the calls to overseas destinations. 

Cloning is a huge global business. Many countries simply do not have 
the resources or legal tools effective enough to successfully combat 
cellular fraud. For example, in Venezuela cloning presently counts as a 
second degree crime punishable by a maximum penalty of five years in 
prison. However, the industry there is lobbying to have it made a first 
degree or premeditated crime, which carries a penalty of eight years. They 
reason that cloning should be put on a par with interference with fixed 
wireline communications - which is regarded as action against the security 
interests of the state. 

In Europe and many other parts of the world, GSM has been a remarkable 
success. The technology is remarkably sophisticated and so far there have 
been no substantiated instances of cloned GSM terminals' in Europe. 

The strength of GSM 

Recently though, university researchers in the US said they had 
cracked GSM's A5 encryption algorithm. Well. It's always possible of 
course, but their assertion is hard to verify as they have so far rifled to 
substantiate the claim. 

While we are in the Land of the Free, it is interesting to note that 
the US, the notion of what constitutes freedom is very limited where mobile 
communications is concerned. 

PCS 1900, the US equivalent of GSM, actually uses a deliberately 
diluted form of encryption which permits government security agencies to 
monitor calls. What's more, encryption can even be turned off entirely in 
times of an undefined 'national emergency'. 

The US law enforcement lobbies and their apologists say that this is 
to help in the fight against organised crime, but many civil libertarians 
are suspicious that there may be more fundamental issues of personal 
liberty and privacy at stake. 

In Europe, confidence in GSM is rock solid - despite continued rumours 
that the French haven't even bothered to turn on their encryption system. 

Real fake identities 

Although handset cloning remains a problem, authentication regimes and 
radio- frequency fingerprinting have had some effect. As a result, criminals 



have moved on to subscription identity fraud which is based on retail point 
of sale procedures and fake identities. Subscription fraud is at its worst 
(or best - depending which side of the fence you are on), in the US. In Los 
Angeles alone it is estimated that 8% of all cellular calls are fraudulent. 

Subscription fraud involves the criminal assumption of the persona of 
an innocent potential subscriber and is based on the acquisition of genuine 
personal data such as social security or healthcare numbers. Armed with a 
real ID (but fronted with a photo of the miscreant) the fraudster applies 
to take out a cellular subscription. Checks show that the proposed 
subscriber is credit -worthy - and off they go. 

Handsets are then cloned for onward sale to criminal gangs . The poor 
sap whose identity has been used eventually gets a bill for tens of 
thousands of dollars which, ultimately, the cellular operator usually has 
to bear. However, the innocent victim often ends up with the world's worst 
credit rating. 

In an attempt to stem a rising fide, cellular industry players have 
banded together to form mutual protection alliances and to lobby trade 
bodies to co-ordinate anti-fraud measures. 

One such group, the US -based Cellular Telecommunications Industry 
Association (CTIA) , contacts the police whenever retail outlets report . 
repeat attempts to obtain cellular service. It has resulted in hundred of 
prosecutions . 

Another CTIA counter-measure is to send 'welcome 1 letters to new 
subscribers requesting confirmation that cellular service is required. When 
the subscriber calls, an identity check is run against a database. No 
match, no service. The system has cut the time that a fraudulent subscriber 
may be able to make calls from four weeks down to two. 

The enemy within 

But, even as subscription fraud begins to be addressed, the criminals 
are turning their attention elsewhere. Now bribery, blackmail and coercion 
are being used to force some cellular operator employees to reveal details 
of live numbers, new MIN and ESN combinations and to subvert security 
procedures . 

The president of the CTIA, Tom McClure is uncompromising on this 
issue. "It is imperative that the industry takes a strong stand," he says. 
"Crooked employees are criminals. They should be arrested in public to 
serve as a deterrent to others . Those that do the crime should do the 
time . " 

Not that such pronouncements cut much ice with the criminals. For 
example, in the UK during 1996, some 12,000 mobile phones vanished every 
month - at an estimated loss of $75 million to both operators and users. By 
early this year, the number of units stolen per month had risen to 15,000. 

Stolen instruments are simply rechipped and given a new identity. And, 
while theft and knowingly using a cloned phone is against the law in the 
UK, rechipping is perfectly legal. 

To try and beat the practice, operators now provide customers with a 
unique and secure identification code which is burnt into the handset. The 
number can then be blacklisted by the operating network if anything goes 
wrong. However, while the theory seems fine, it has had little deterrent 
effect in practice. 

A hard trail to follow 

For example, once a new SIM card is inserted into a GSM handset, it 
can be used free from detection. And in the UK, handsets are sold at highly 
subsidised rates (the latest models, which cost some $900 each to produce, 
go to new subscribers for as little as $15 to $50) . 

In cases of highly organised theft, gangs of criminals have travelled 
across the UK taking out phoney subscriptions using false identifies. They 
then sell on the SIM cards, which covers the costs associated with their 
peripatetic lifestyles, and collect hundreds of handsets for export (the 
main purpose of their dubious trade) - which end up in places as far away 
as Hong Kong . 

In Uruguay, South America, the competitive market environment means 
that handsets are given away free to new subscribers. Because there is no 
benefit to be obtained by theft very little takes place and there is no 
current market for the resale of stolen handsets . 



Hijacking calls 

One of the rather less prevalent, and therefore less well-known types 
of fraud is hijacking. Here, a fraudster uses a radio scanner to identify- 
when a bonafide call is being set up. Once authorisation checks are 
complete, the call is swamped by RF signals which overpower the genuine 
phone and hijacks control of the voice channel. The fraudster then simply 
drops the original call leg and makes his own. 

Other illegal activities in the cellular arena include the dandestine 
recording of private conversations and selling the contents to news media. 
(As apparently happened to the late Diana, Princess of Wales in the UK and, 
more recently, to a government minister in Argentina) . 

Although such activities do not impact operator revenues, they do get 
high-profile media coverage - which damages operator credibility, increases 
churn and can even hit the share price . 

Fighting back 

Having read this litany of horror, you might think that the odds are 
heavily stacked against cellular operators. And you would be right. This is 
a game of percentages and there are several steps that operators can take 
to shave down revenue losses to more acceptable levels. 

Ericsson, one of the world's biggest and most prestigious cellular 
infrastructure and handset manufacturers has devised a list of anti-cloning 
preventative measures; they include: 

* ESN screening: comparison of the transmitted ESN with black-listed •• 
numbers, which can prevent a system from providing service to visitors 
whose ESN matches that of a serial number known to be stolen or fraudulent. 
If a match is detected, the caller is either disconnected or re-routed; 

* MIN screening: comparison of the transmitted MIN with the national 
numbering format whenever a terminal tries to access an MSC. If the two 
numbers don't match, access is denied; 

* Post-call validation: monitoring of call records, resulting in the 
removal of invalid phone numbers from service; 

* Pre-call validation: the use of IS-41 signalling protocols to query 
MINESN combinations during call set-up; 

* Pulling a switch out of service: a final sanction is to remove from 
service all the MINs within a given number range, for legitimate or cloned 
subscribers alike; 

* Pulling a service: a doomsday measure to block a frequently abused 
service, typically international; 

* Personal identification numbers (PIN) : the use of a PIN for each 
call made, or for the first call made outside the home catchment area, is 
an effective short term counter measure to cloning fraud. Although 
unpopular with subscribers, it allowed one operator to reduce revenue 
losses attributable to cloning by 70%. 

PINs can be used for other applications. They can also give 
subscribers the option of turning mobile cellular accounts on and off 
within certain catchment areas; to challenge callers attempting to make 
calls to international destinations or premium rate numbers; and to require 
users to validate themselves whenever clone use is suspected or whenever a 
subscriber terminal has not been used for some time. 

However, PINs can be subjected to insider fraud. To reduce the chances 
of this, the A-key (or private key) is issued and forwarded to the 
subscriber in a secure manner. This usually involves sending the number in 
several stages through the post. PIN code masking can be used to conceal 
the issued PIN number from the subscriber data printout, thereby reducing 
the risk of insider operator fraud. 

The military option 

Much current activity in the fight against cloning fraud is in 
authentication. Variations of this technique , which checks the validity of a 
calling station, have been used in military voice networks for 50 years. 
The radio equivalent uses demand- response analysis - a technique which 
requires the base station to send out an authentication code to a handset, 
which then responds with a corresponding sequence code. 

The identity of a mobile terminal is not automatically accepted simply 
because its MIN, ESN or PIN are correct. Using cellular authentication and 
voice encryption (CAVE) algorithms, which obviate the need to send 



confidential data over the air interface, the network authentication centre 
(AC) issues a challenge via the MSC to the calling terminal. To respond to 
the challenge, the handset must perform calculations using secret embedded 
data . 

Authentication can be used in several different ways: 

* Global challenging: used during the system access phase of a call, 
it requires the calling terminal to execute the CAVE algorithm using the 
private Akey, details of which are only stored in the terminal and the AC; 

* Unique challenging: this is initiated by the AC, which validates 
the call using data sets stored only inside the calling terminal either on 
call set-up or upon receipt of a flash request; 

* Base station validation: allows the terminal to validate the 
base station which is polling it, thereby protecting it against 
fraudulent attacks ; 

* Shared secret data (SSD) updating: this involves checking the SSD 
on a routine or per demand basis; 

* Voice privacy: involves the encryption of a subscriber's 
transmitted conversation on digital networks (the more powerful systems use 
a combination of TDMA and CAVE) ; 

* Signalling message encryption: protects key subscriber information 
by encrypting a select sub- set of signalling messages between the base 
station and terminal. 

Authenticate the positive... 

All second generation digital phones, as well as a large number of 
analogue phones, suppqrt authentication methods. As the user base of old 
phones shrinks, those that are susceptible to cloning will also decrease, 
making fraud more apparent to the operators. The effectiveness of 
authentication techniques could also be increased by rationalising 
numbering systems so that all non-authentication compatible models fall 
within the same number range. 

Furthermore, the widespread use of authentication techniques will help 
limit fraud to subscription swindles and straightforward theft, both of 
which are more easily identified and prevented than cloning - at least for 
now. 

A number of measures to detect fraudulent activity are built into ACs 
and MSCs . These are based on activities or service requests associated with 
a subscriber terminal that is identified as already being in service, or 
when various technical parameters are exceeded. These include control 
channel capability, control channel mode mismatch or premature 
registration. The network will tear down all such calls except for those 
connected to customer control centres or to the emergency services . 

The use of pre-paid cellular accounts also seems to help minimise 
certain types of billing fraud. However, this solution is unpopular with 
law enforcement agencies because prepayment for airtime makes it very 
difficult and expensive to track down individual users. The leader of one 
big telco investigation unit told CI that his side of the cellular industry 
"wishes they simply weren't available". 

However, their use is on the increase. For example, 46% of this year's 
new subscribers to Vodafone's UK GSM network have opted for prepayment. It 
makes it easier for users to manage their spending on mobile calling and 
helps operators to reduce the amount of bad debt . 

...and eliminate the negative 

Cellular fraud costs vast sums of money, but controlled measures 
against it can never be more than partially successful. This is a game of 
percentage savings . 

Furthermore, fraud operators want to retain subscriber confidence, 
minimise churn and avoid any adverse publicity that might affect market 
share or stock prices. Thus, they often waive disputed charges or settle 
out-of-court in return for non-disclosure agreements. 

In the end though, it is the honest subscribers who, through paying 
the higher subscription, connection and call charges that fraud causes, 
foot the bill for being ripped-off . 

Annual losses by Venezuelan cellular operator Telcel are known to be 
in excess of US$1.5 million. The problem is that Venezuela lies across the 
Bay of Mexico from Miami, Florida, where it is possible, and completely 



legal, to buy cloning kits - complete with instruction manual - on the open 
market for about $1,500. 

One afternoon in 1995, US cops set up impromptu road blocks in New 
York's Bronx district and challenged motorists with mobile phones to name 
the carrier service to which they subscribed and how much they paid per 
month. Several dozen stolen phones were recovered in the short operation. 

Few fraud prevention methods are fool-proof, especially the 
logic-based systems which use the parameters of distance and time between 
calls from the same subscriber number to detect fraudulent use. Thus, a 
British fighter pilot who flew down to England from a base in Scotland 
recently found himself unable to tell his family that he had arrived safely 
- the cellular operator's software logic had decided that it was impossible 
for anyone to drive the distance in such a short time and barred his calls. 

Some 4 0% of all car break- ins in London involve the theft of a mobile 
phone. In other areas of the UK, this figure is even higher. Insurance 
against theft is available, but at up to US$90 per year many users regard 
this as too expensive, particularly when the phone itself costs much less 
than that. 

COPYRIGHT 1998 International Thomson Publishing Ltd. (UK) 
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Measurement Repeatability 



Although easy. 
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...TEXT: it at that point would have been sticking our heads in the sand." 

After its first report, AP verified the information with its own law 
enforcement sources, Christian added. 

"This obviously became a stampede, and I. . . 
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...TEXT: name and address window: "OFFICIAL NOTIFICATION OF GUARANTEED CASH 
AVAILABILITY THE INFORMATION CONTAINED HEREIN HAS BEEN AUTHORIZED, 
VERIFIED , AP -PROVED AND IS FULLY GUARANTEED BY INTERNAL REGULATIONS . " 

"FULLY GUARANTEED BY INTERNAL REGULATIONS?" It takes your breath... 
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TEXT: 

...where their access point is busy. [With iPass] you're able to dial into 
another provider's access point , get authenticated back to your home 
ISP, use that access point., and presumably get billed for that usage from 
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HEWLETT PACKARD 4: W-CDMA Code-Domain Power Measurement Capability Now 
Available for HP 89400 Series Vector Signal Analyzer 

November 02, 1998 

Byline: Computer Writers 

. . .D engineers can 
accelerate the development of W-CDMA base stations by using this new 
measurement to verify that base - station systems transmit correct 
coding for all symbol rates. 

HP has a wide range of design and test. . . 
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...SPECIFICATION and selects antennas for space diversity and polarization 
when appropriate, as well as controls the MS power. 

Authentication . The Base Station responds to Notes from the Base 
Station Controller to authenticate a given MS. The BS sends the... 
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. . .ABSTRACT The AP transmits the first and second authentication messages 
to the authentication server. If the authentication server validates 
the access point and the operator's logon name and password, it will 
authorize access to the wired network. 



...SPECIFICATION is connected to the wired LAN for providing the operator 
with access to the wired LAN after authenticating the access point , 
the wireless device, and the operator. 
Brief description of the drawings 

The foregoing and other objects, features... 

...CLAIMS server connected to the wired LAN for providing the operator with 
access to the wired LAN after authenticating the access point , 
the wireless device, and the operator. 
2. The secure wireless LAN of claim 1 wherein the access... 



...transmitting the first authentication message from the access point to a 
wireless device over a wireless channel; 
validating the access point by analyzing the first authentication 
message; 

generating a second authentication message including validating 
information about the wireless... 

...analyzing the second authentication message; 

transmitting the first and second authentication messages to an 

authentication server after validating the access point and the 
wireless device; 
validating the operator; and 

enabling a data channel between the wireless device and other devices on 
the wired LAN after validating the access point and the 
operator. 

9. The method of claim 8 wherein transmitting the first authentication 
message includes transmitting... 
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...SPECIFICATION of stations: 

1.. Whenever a reassociate request frame is received from a station and 
the station is authenticated , the access point transmits a 
reassociation response with a status value indicating "successful"; 

2. If the status value is "successful... 
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...SPECIFICATION mobile communication including a mobile station which is 
able to conduct diversity reception, a plurality of radio base 
stations , and a base station controller communicating via the radio base 
stations under control of a switching center. . . 

. . .mobile communication including a mobile station which is able to conduct 
diversity reception, a plurality of radio base stations , and a base 
station controller . communicating via the radio base stations under 
control of a switching center ... trigger requirement to TACF triggers the 
•handover. Then, the network selects the base station among the candidate 
base stations in order to execute the handover and notifies the mobile 
station MS about the selected base station, thereby activating the 
traffic channel in relation to the base station . Accordingly, it is 
possible for the network to exclude complicated control procedures, e.g., 
detection procedure of ... mobility management. 

With such a structure, prior to the mutual notification of the 
encipherment onset, a user authentication procedure (refer to section 
2.4.5.1) is executed as shown in Figure 63. In execution of the user 
authentication procedure, a certificated encipherment key is previously 
stored at UIMF and LRDF of the network and mobile. . ..arithmetic operation 
based on the authentication information (random number) and transmits the 
authentication calculation result as an authentication response at step 
S4 . The authentication calculation uses an authentication key stored in 
each mobile station MS . . . f or recognition. 

c) The user authentication of the mobile station is executed as 



described above. The user authentication will be described in more 
detail at the section entitled "User Authentication" of this chapter. 

d) In... calling and destination user terminals. "Incoming call 
acceptance" procedures include paging, SDCCH control, user identity- 
retrieval, user authentication , encipherment- onset time notification, 
routing in the network, establishment of access link, mutual information 
transfer to and. . . 

..can respond to another call (additional call). However, since the mobile 
terminal has been already authenticated, the authentication process is 
not carried out for the additional call. 

Furthermore, if a plurality of mobile stations respond ... directed to a 
mobile station, or when the location is registered. 

In order to execute the user authentication , the system comprises the 
following capabilities. 

When a mobile station accesses the network, the network produces 
various ... 
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Detailed Description 

. . . are allowed to function in the communication system. However, in most 
instances, the mobile stations do not authenticate the base stations 
which are also sources of communication in the system. 

The mobile stations are also vulnerable to unauthorized. . . 

. . .whereby the network authenticates the user and the user authenticates 
the network. 

A traditional means of performing mutual authentication requires the 
mobile station and the base station network to transmit challenge 
numbers to each other, to calculate responses, to transmit the responses, 
and to. . . 

...step. In any case, the source of the second communication may be the 
mobile station or the base 
station . As such, the invention provides an efficient method of mutual 
authentication during any state of the mobile station. 
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... message. The peripheral would compare 

the challenge response with one generated locally and if they 
. match the access point has been authenticated .. Likewise, the 
access point may initiate authenticate the network using the 
same Authenticity Challenge and Challenge Response... 
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VALIDATE OR VALIDATES OR VALIDATING) (1W) (ITSELF OR OWN () SELF - 
OR THEMSELVES) ) 

54 31 ( AUTHENT I CAT ? ? ? OR VALIDAT??? OR VERIF?) (1W)S1 

55 333 MUTUAL? () ( AUTHENT I CAT ? ? ? OR VALIDAT??? OR VERIF?) 

56 8 S1(10N)S5 

57 71 (S2 OR S4 OR S6) 

58 23 S7 AND AC=US/PR 

59 8 S8 AND AY= ( 1985 : 1999 ) /PR 

510 13 S7 AND PY=1985:1999 

511 16 S9:S10 

512 34 (BIDIRECTIONAL OR BI () DIRECTIONAL) () ( AUTHENT I CAT? ? ? OR VAL- 

IDAT??? OR VERIF? OR CHECK???) 



11/5/1 (Item 1 from file: 347) 

DIALOG (R) File 347:JAPIO 
(c) 2005 JPO & JAPIO. All rts. reserv. 



06301020 **Image available** 

SYSTEM FOR VERIFICATION AND COMPUTER READABLE STORAGE MEDIUM STORING 
PROGRAM FOR VERIFICATION 



PUB. NO. : 
PUBLISHED: 
INVENTOR { S ) 



APPLICANT (s) 
APPL. NO. : 
FILED : 
INTL CLASS : 



11-242615 [JP 11242615 A] 
September 07, 1999 ( 19990907) 
ARAI RITSUKO 
KAYANO SHINICHIRO 
SUZUKI KEN J I 

MITSUBISHI ELECTRIC CORP 
10-044113 [JP 9844113] 
February 25, 1998 (19980225) 
G06F-011/28; G06F-011/26; G06F-013/00 



ABSTRACT 



PROBLEM TO BE SOLVED: To provide a system for verification with which 
verifying work can be performed while reproducing the same system as a 
system to be verified without being affected by the configuration of an 
information processor for verification to be used for the system for 
verification . 

SOLUTION: Concerning this system, a means 7 for executing a program to be 
verified can be provided. In this case, this executing means 7 executes 
plural application ( AP ) programs 3 to be verified on an information 
processor 6 for verification having a virtual network memory 9 for storing 
data transmitted from the AP programs 3 to be verified while 
classifying them and stores the data transmitted from these AP programs 3 
to be verified on the virtual network memory 9 according to the said 
classification. 
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ABSTRACT 



PROBLEM TO BE SOLVED: To initialize connection between a mobile terminal of 
a public mobile communication network and an in-home base station by 
authenticating the mobile terminal, transmitting data which initializes 
connection to the in-home base station from the public mobile communication 
network to a terminal and transmitting the data to the in-home base 



station 



SOLUTION: A mobile terminal is authenticated by a public mobile 
communication network, data that initializes connection with an in-home 
base station is transmitted from the public mobile communication network to 
a terminal and the data is transmitted from the mobile terminal to the 
in-home base station. That is # connection initialization data, especially, 
a frequency or a channel which is used to set connection, a start 
frequency, change rules of a frequency or an allowable maximum output and 
other parameters that are effective to connection in a more general sense 
are transmitted from the public mobile communication network to the mobile 
terminal. These data are transmitted, e.g., by an operator of the public 
mobile communication network, and the operator manages a frequency that is 
locally used with the mobile terminal. 
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ABSTRACT 

PROBLEM TO BE SOLVED: To prevent the fraudulent subscription of a handset 
by providing a ciphering means for ciphering subscriber data with respect 
to a telephone device having a subscribing means by which the handset and a 

base station are validated by means of subscriber data. 
SOLUTION: The handset HS1 is provided with a communication assembly 40 
having an antenna 41 so as to execute communication with the base station 
BS or with another handset HS2, etc., from it. When the handset subscribes 
the base station, three kinds of data stored in a read only memory 56, that 
is, identifier data of the base station where the handset subscribes, 
authenticating key data and data supplied to the subscribing base station 
by its own identifier are saved and stored in a ciphered shape in the read 
only memory 56 . The data are extracted from the read only memory 56 and a 
prescribed box so as to be reversely converted before utilization for 
another box. Another handset is not used for subscriber data because of the 
existence of numbers which are assigned to the respective handsets. 
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Secure wireless LAN, has wireless device use by wireless device operator 
with access point connected to wired LAN in communication with wireless 
device through air channel authenticating wireless device 
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Abstract (Basic) : EP 1081895 Al 

NOVELTY - The network has a wireless device use by a wireless 
device operator. An access point connected to a wired LAN in 
communication with the wireless device through an air channel 
authenticating the wireless device. An authentication server connected 
to the wired LAN provides the operator with access to the wired LAN 
after authenticating the access point , the wireless device, and 
the operator. 

DETAILED DESCRIPTION - An INDEPENDENT CLAIM is included for a 
method for operating a LAN 

USE - For Secure wireless LAN. 

ADVANTAGE - Inexpensive, easy to set up, fast, and reliable. 
DESCRIPTION OF DRAWING (S) - The figure shows a block diagram of the 
network of the invention, 
pp; 13 DwgNo 2/3 

Title Terms: SECURE; WIRELESS; LAN; WIRELESS; DEVICE; WIRELESS; DEVICE; 

OPERATE; ACCESS; POINT; CONNECT; WIRE; LAN; COMMUNICATE; WIRELESS; DEVICE 
; THROUGH; AIR; CHANNEL; AUTHENTICITY; WIRELESS; DEVICE 

Derwent Class : W01 

International Patent Class (Main) : H04L-012/28 
International Patent Class (Additional) : H04L- 029/06 
File Segment: EPI 



11/5/6 (Item 3 from file: 350) 

DIALOG (R) File 350:Derwent WPIX 
(c) 2005 Thomson Derwent. All rts . reserv. 

013023970 

WPI Acc No: 2000-195821/200017 

XRPX ACC No: N00-144861 
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station, to produce burst of data for subsequent communication 
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Abstract (Basic) : WO 200008879 Al 

NOVELTY - Communication between mobile station and base station 
, is authenticated based on which a token field of data which 
authenticate the next communication between mobile and base station, is 
generated. Then, the token field of data is added to a data field, to 
produce a burst of data for the next communication between mobile and 
base station. 

DETAILED DESCRIPTION - The communication occurs after mobile 
station or base station switches from inactive state to active state. 
The next communication occurs after the mobile station switches from a 
quasi active state to active state. 

USE - For authenticating source of communication in cellular 
communication system. 

ADVANTAGE - Authentication of subsequent communication between base 
and mobile stations is performed with minimal overhead in over-the-air 
communication, thus permits efficient method of authenticating source 
of communication. 
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User information transmission procedure for mobile communication system - 
involves receiving assignment information for control channel to transmit 
user information to base station 
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Abstract (Basic) : JP 11234738 A 

NOVELTY - When user information is to be transmitted from mobile 
terminal to base station, assignment information of control channel is 
received through empty control channel, after receiving authentication 

from base station via access channel. Then, user information is 
transmitted to base station via assigned control channel . DETAILED 
DESCRIPTION - INDEPENDENT CLAIMS are also included for the following: 
apparatus used for performing user information transmission procedure; 
recording medium stored with user information transmission program 

USE - For transmitting user information to base station in mobile 
communication system. 

ADVANTAGE - Control channel is used effectively. Number of terminal 
accommodations of base station is increased. 
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Abstract (Basic) : EP 903887 A2 

NOVELTY - Base station contacts service provider to obtain datum 
and then authenticates string. Base station can direct mobile 
unit to regenerate datum or create new one. 

USE - For cellular telephone, fax or modem. 

ADVANTAGE - Secure due to performing independent identification of 
caller at time when connection is established. Improved privacy. 

DESCRIPTION OF DRAWING (S) ^ The drawing shows a group of network 
providers and cellular radio providers which are interconnected using 
mobile and stationary telephones. 

pp; 17 DwgNo l/ll 

Title Terms: AUTHENTICITY; METHOD ; MOBILE; STATION; CELLULAR; TELEPHONE; 

SYSTEM 
Derwent Class: W01; W02 

International Patent Class (Main) : H04L-009/32 
International Patent Class (Additional) : H04Q-007/38 
File Segment : EPI 



11/5/15 (Item 12 from file: 350) 

DIALOG (R) File 350:Derwent WPIX 
(c) 2005 Thomson Derwent. All rts. reserv. 

008771943 **Image available** 
WPI Acc No: 1991-275958/ 199138 
XRPX Acc No: N91-210804 

Checking comprehensive authentication in mobile telephone system - 



incorporating bidirectional checks between mobile and base stations to 
prevent false base stations establishing mobile subscription 



Patent Assignee: TELE FONAKT I EBOLAGET ERICSSON L M 
L M (TELF ) 

Inventor: DAHLIN J E A; RAITH A K; WILKINSON D P; 

DAHLIN J E; AKE J E; DENT W P; DENT W; RAITH A; 
Number of -Countries : 029 Number of Patents: 028 
Patent Family: 



(TELF ) ; ERICSSON OY AB 



DAHLIN 
DAHLIN 



E A S; 
E S 



Patent No 


Kind 


Date 


Applicat No 


Kind 


Date 


Week 


EP 


447380 


A 


19910918 


EP 


91850016 


A 


19910120 


199138 


WO 


9114348 


A 


19910919 










199140 


SE 


9000856 


A 


19910910 










199144 


SE 


465800 


B 


19911028 










199146 


AU 


9174952 


A 


19911010 










199201 


FI 


9105237 


A 


19911106 










199207 


NO 


9104357 


A 


19911107 










199209 


BR 


9104907 


A 


19920414 


BR 


914907 


A 


19910129 


199222 










WO 


91SE66 


A 


19910129 




CN 


1054868 


A 


19910925 


.CN 


91101527 


A 


19910309 


199226 


JP 


4505693 


W 


19921001 


JP 


91505884 


A 


19910129 


199246 










WO 


91SE66 


A 


19910129 




PT 


96979 


A 


19930430 


PT 


96979 


A 


19910308 


199321 


TW 


199250 


A 


19930201 


TW 


91100981 


A 


19910207 


199327 


NZ 


236936 


A 


19930727 


NZ 


236936 


A 


19910129 


199333 


AU 


638820 


B 


19930708 


AU 


9174952 


A 


19910129 


199334 


US 


5282250 


A 


19940125 


US 


91655771 


A 


19910215 


199405 










US 


9368234 


A 


19930527 




US 


5390245 


A 


19950214 


US 


91655771 


A 


19910215 


199512 










US 


9343758 


A 


19930407 












US 


9368234 


A 


19930527 




EP 


447380 


Bl 


19950412 


EP 


91850016 


A 


19910129 


199519 


DE 


69108762 


E 


19950518 


DE 


608762 


A 


19910129 


199525 










EP 


91850016 


A 


19910129 




CN 


1024241 


C 


19940413 


CN 


91101527 


A 


19910309 


199527 


ES 


2073726 


T3 


19950816 


EP 


91850016 


A 


19910129 


199539 


SG 


9590931 


A 


19951222 


SG 


9590931 


A 


19950526 


199611 


IE 


67887 


B 


19960501 


IE 


91544 


A 


19910218 


199629 


US 


5559886 


A 


19960924 


US 


91655771 


A 


19910215 


199644 










US 


9343758 


A 


19930407 












US 


9368234 


A 


19930527 












US 


94298782 


A 


19940831 




NO 


300249 


Bl 


19970428 


wo 


91SE66 


A 


19910129 


199724 










NO 


914357 


A 


19911107 




FI 


102134 


Bl 


19981015 


WO 


91SE66 


A 


19910129 


199847 










FI 


915237 


A 


19911106 




PH 


30204 


A 


19970205 


PH 


42018 


A 


19910218 


199953 


KR 


144560 


Bl 


19980817 


KR 


91701553 


A 


19911108 


200022 


CA 


2051385 


C 


20010403 


CA 


2051385 


A 


19910129 


200124 










WO 


91SE66 


' A 


19910129 





DENT- P W 



Priority Applications (No Type Date) : SE 90856 A 19900309 
Cited Patents: DE 3405381; DE 3420460; US 4436957 
Patent Details: 

Patent No Kind Lan Pg Main IPC Filing Notes 
EP 447380 A 7 

Designated States (Regional) : AT BE CH DE ES FR GB GR IT LI LU NL 
WO 9114348 A 

Designated States (National) : AU BR CA FI JP KR NO 
BR 9104907 A H04Q-007/02 

CN 1054868 A H04B-007/26 
JP 4505693 W 5 H04B-007/26 

PT 96979 A H04Q-007/02 

TW 199250 A H04B-007/26 

NZ 236936 A H04B-007/26 

AU 638820 B H04Q-007/02 



Based on patent WO 9114348 
Based on patent WO 9114348 



Previous Publ . patent AU 9174952 



us 


5282250 


A 


7 


H04L- 


009/32 


us 


5390245 


A 


5 


H04L- 


009/32 


EP 


447380 


Bl E 


8 


H04Q- 


007/22 




Designated 


States 


(Regional) : AT 


DE 


69108762 


E 




H04Q- 


007/22 


CN 


1024241 


C 




H04B- 


007/26 


ES 


2073726 


T3 




H04Q- 


007/22 


SG 


9590931 


A 








IE 


67887 


B 




H04Q- 


007/04 


US 


5559886 


A 


6 


H04L- 


009/00 



NO 300249 
FI 102134 
PH 30204 
KR 144560 
CA 2051385 



Bl H04B-007/26 

Bl H04Q-007/38 

A H04L-009/32 

Bl H04Q-007/02 

C E H04Q-007/02 



Based on patent WO 9114348 
Cont of application US 91655771 
Cont of application US 91655771 
Cont of application US 9368234 
Cont of patent US 5282250 

BE CH DE DK ES FR GB GR IT LI LU NL 
Based on patent EP 447380 

Based on patent EP 447380 
Previous Publ . patent EP 447380 

Cont of application US 91655771 
Cont of application US 9343758 
Cont of application US 9368234 
Cont of patent US 5220605 
Cont pf patent US 5282250 
Cont of patent US 5390245 
Previous Publ. patent NO 9104357 
Previous Publ. patent FI 9105237 



Based on patent WO 9114348 



Abstract (Basic) : EP 447380 A 

The method involves establishing a connection in which the base 
station sends a question concerning the authentication of the mobile 
station and orders the mobile to send a first response signal (Resp 1) 
which is used in the base station to establish the authentication. 

Subsequent to establishing the authentication of the mobile 
(2,3,4) in the base station, there is sent from the base station a 
second response signal (Resp 2) to the mobile, which .forms (8) a 
corresp. second response signal (Resp 2) in order to establish (9) the 
authentication of the base station. When this authentication is 
established, the mobile sends a third response signal (Resp 3) and 
establishes the authentication of the mobile prior to the connection 
being established. 

USE - E.g. for paging systems. (7pp Dwg.No.2/2) 
Title Terms: CHECK; COMPREHENSIVE; AUTHENTICITY; MOBILE; TELEPHONE; SYSTEM; 
INCORPORATE; BIDIRECTIONAL; CHECK; MOBILE; BASE; STATION; PREVENT; FALSE; 
BASE; STATION; ESTABLISH; MOBILE; SUBSCRIBER 
Derwent Class: W01; W02; W05 

International Patent Class (Main) : H04B-007/26; H04L-009/00; H04L-009/32; 

H04Q-007/02; H04Q-007/04; H04Q-007/22; H04Q-007/38 
International Patent Class (Additional): H04M-001/66; H04M-001/72; 

H04Q-001/66; H04Q-007/06 
File Segment : EPI ^ 



